Can Social Engineering Be Used For Good?
Social engineering, by definition, is the act of obtaining sensitive information and/or accessing a system via manipulation. Think Bruce Lee or Inspector Closeau disguised as telephone repairmen thriving on the naivety of individuals. These days, said telephone repairmen come in the form of phone calls, cornering you with threats of IRS debts that must be paid immediately, and that the best way to pay it is via Target gift cards. Or in the case of social media, accepting fake friend requests from people you’re already connected to. Long story short, falling for their ability to trick you into clicking on a malicious link, accepting that suspicious friend request, or giving out sensitive information can prove to be fatal.
Today’s entry however, is a gander in how social engineering can be used in any manner other than with bad intentions. Those on Instagram, Facebook, or any other social media platform, should be well aware of fraudulent accounts using celebrities or fictional characters as their profile avatars. While the account users’ end goals aren’t always apparent, it’s usually safer to ignore. In the short term, you’ve saved yourself from a sea of spam and that will be the least of your worries.
In contrast to people to watch out for, imagine if someone legitimate reached out to you for a collaborative project. Pretend you’re a portrait photographer here and a budding model likes a few of your photos and engages in a conversation. You vet one another by way of who you’ve worked with, points of interests you have shot at, etc. The outcome could be a casual and fun conversation or it could turn into a TPF (trade for print) photo session. Suddenly there’s a mutual benefit for both parties. This is like the bible verse, “Ask and you shall receive”, put into practice. At the same time, the social engineer, the budding model, in this scenario may also recommend a makeup artist she likes working with. Alternatively, roles can be reversed where you, the photographer, makes this suggestion. This then adds further value to the project at hand.
As another example, I came across an interesting article on Psychology Today from a professor of psychology, Dr. Thomas G. Plante. The article was written six years ago and covered how social engineering can be used as a mechanism to an end goal. In a nutshell, he suggested throwing willpower out the window. This sounds just as crazy as a SaaS (Software-as-a-Service) company saying, “Oh, we don’t mind churning at all.” Before you dismiss the rest of this paragraph, the solution, according to Doctor Plante, is changing the environment. His examples include a gym buddy as a support system, or the lack of unhealthy food consumption increases the probability to sustain a healthy lifestyle. See how I didn’t use “willpower” here?
In hindsight, this is self social engineering as the individual isn’t looking at willpower as a giant roadblock. Rather than changing the environment, the individual’s lifestyle gradually and naturally alters as well. By shifting a variable here and there in the current environment, the individual is one step closer to self-improvement. More importantly, the incremental checkpoint successes leads to newfound confidence.
In another instance, Facebook’s technical program manager, Terry Zink, once applied social engineering as a magic trick. In the article, a telephone number came across his way in a public space. Stowing away the freely given information until a few months later, he decided to approach the subject who leaked out her phone number and asked if she would like to participate in a magic trick. Using eye contact, knowing the answer ahead of time and other forms of body language, he broke down the subjects’ barriers. All of this sounds like taking advantage of a victim. So what was the point of that exercise? Not only did Mr. Zink amaze the subject, but he now has a new trick he can try (and further refine) at other social outings. Anyone want to take bets that he’s tried this on fellow Facebook cohorts?
So in short, all are encouraged to stay alert to social engineering practices such as pretexting, phishing, quid pro quo, tailgating, and so on. In no way or form am I insinuating using social engineering for personal gain. However, social engineering can yield positive outputs that include networking, collaboration, entertainment that serves up instant gratification, newfound confidence, and possibly a memorable day for all parties involved.
Posted by Van Ngo